2

When I connect to a file share using \servername\share in Windows explorer (windows 10 to a windows server share), I notice that there are also connections from my host to the destination server over port 5985, the wsman protocol port.

I couldn't find any obvious information on why this would happen. Anyone got any clue as to why this would occur?

Improve this question

1 Answer 1

Reset to default
2
+50

I don't have an answer as to "why", but here's a forum post by someone that shows that SMB3 connections from Win10 will also attempt to connect via wsman.

https://answers.microsoft.com/en-us/windows/forum/all/a-windows-10-client-accessing-a-smb3-file-share/98e3d0ed-89da-40c1-b68c-553bf9999550

From doing some more reading around, it seems like this might be from server-management features on the client; like if you have RSAT installed on it, it may attempt to connect via WS-MAn (PS Remoting).

Is that the case? What version(s) are your Win10 clients and fileservers? What process on the client is using TCP 5985; is it explorer.exe or something else?

What problem are you trying to solve?

Improve this answer
1
  • 1
    I think RSAT is the bingo here, as that is installed on my client. I was mainly trying to understand the behavior as I noticed it in a SIEM. Thank you.
    – dcom-launch
    Commented May 9, 2022 at 13:43

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .